[SECURITY-1660]

jenkinsci · Jan 14, 2020 · 6f35dbb · 6f35dbb
1 parent 7d44836
commit 6f35dbb
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 3 deletions.
diff --git a/core/src/main/java/jenkins/security/HMACConfidentialKey.java b/core/src/main/java/jenkins/security/HMACConfidentialKey.java
@@ -8,7 +8,9 @@
 import javax.crypto.spec.SecretKeySpec;
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
+import java.nio.charset.StandardCharsets;
 import java.security.GeneralSecurityException;
+import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.util.Arrays;
 
@@ -76,7 +78,7 @@ public synchronized byte[] mac(byte[] message) {
      * Convenience method for verifying the MAC code.
      */
     public boolean checkMac(byte[] message, byte[] mac) {
-        return Arrays.equals(mac(message),mac);
+        return MessageDigest.isEqual(mac(message),mac);
     }
 
     /**
@@ -95,7 +97,7 @@ public String mac(String message) {
      * Verifies MAC constructed from {@link #mac(String)}
      */
     public boolean checkMac(String message, String mac) {
-        return mac(message).equals(mac);
+        return MessageDigest.isEqual(mac(message).getBytes(StandardCharsets.UTF_8), mac.getBytes(StandardCharsets.UTF_8));
     }
 
     private byte[] chop(byte[] mac) {

diff --git a/core/src/main/java/jenkins/slaves/DefaultJnlpSlaveReceiver.java b/core/src/main/java/jenkins/slaves/DefaultJnlpSlaveReceiver.java
@@ -24,6 +24,8 @@
 import org.jenkinsci.remoting.engine.JnlpConnectionState;
 
 import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
 import java.util.concurrent.ExecutionException;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.TimeoutException;
@@ -122,7 +124,7 @@ public void afterProperties(@NonNull JnlpConnectionState event) {
         Channel ch = computer.getChannel();
         if (ch != null) {
             String cookie = event.getProperty(JnlpConnectionState.COOKIE_KEY);
-            if (cookie != null && cookie.equals(ch.getProperty(COOKIE_NAME))) {
+            if (cookie != null && MessageDigest.isEqual(cookie.getBytes(StandardCharsets.UTF_8), ch.getProperty(COOKIE_NAME).toString().getBytes(StandardCharsets.UTF_8))) {
                 // we think we are currently connected, but this request proves that it's from the party
                 // we are supposed to be communicating to. so let the current one get disconnected
                 LOGGER.log(Level.INFO, "Disconnecting {0} as we are reconnected from the current peer", clientName);